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Purpose 

•  Provide  information  about  the  current 
ATEC  methodology  for  conducting 
Information  Assurance  (IA)  assessments 

•  Describe  challenges  to  correctly 
characterizing  system  IA  capabilities 


Information  Assurance  Policies 


Public  Law  107-347  -  Agencies  identify  &  provide  information  security 
protection 


DoDD  8500.1  -  IA  requirements  included  in  all  aspects  of  DoD  information 
systems 

DoDI  8500.2  -  Provides  baseline  IA  controls  for  DoD  information 
systems 


DoD  CIO  Memorandum,  DIACAP  -  Requires  DoD  to  certify  and 
accredit  information  systems 


Protect,  Detect,  React  &  Restore 


CJCSI  6212.01  -  Requires  Joint  IT  and  NSS  to  be  IA 
compliant 

AR  25-1  -  Establishes  the  Army  IA  program 
for  infrastructure,  networks  and  systems 

AR  25-2  -  Implementation  guidance 
for  the  Army  IA  program 

DA  CIO/G-6  Memorandum  - 

Army  implementation  of  DIACAP 


Net-Readiness 


NR-KPP  consists  of  verifiable  performance  measures  and  metrics  used 
to  assess  ...  information  assurance,  and  net-ready  attributes  required  for 
both  the  technical  exchange  of  information  and  the  end-to-end  operational 
effectiveness  of  that  exchange 

Four  NR-KPP  elements  include:  compliance  with  ...,  and  verification  of 
compliance  with  DOD  information  assurance  requirements 

IA  policies  and  processes  apply  to  the  entire  lifecycle  of  IT  and  NSS 

Threshold  criteria  -  Information  assurance  requirements  including 

availability,  integrity,  authentication,  confidentiality,  and 
nonrepudiation,  and  issuance  of  an  IATO  by  the  DAA 

Objective  criteria  -  Information  assurance  requirements  including 
availability,  integrity,  authentication,  confidentiality,  and  nonrepudiation,  and 
issuance  of  an  ATO  by  the  DAA 


DIACAP  -  Why  T ransition? 


https://diacap.iaportal.navv.mil 


DITSCAP  &  Army  C/A 
processes  written  for 
stand  alone  or  stove  pipe 
systems 

DODI  8500.2  IA  controls 
not  considered 

DAA  delegated  to  the 
lowest  level  limits  “Big 
Picture”  consideration 

Too  many  CAs  limits 
consistent  assessments 

No  qualification 
requirements  for  ACAs 

IS  deployed  with  no 
easily  identifiable 
responsible  government 
owner 
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Make  Certification  Delemulnatlon 
S  Accreditation  Decision 


DIACAP  does  not  ensure  IA;  only  shows  how  well  system  has 

implemented  baseline  controls 
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*Memo,  DOTE,  Subject:  Policy  for  Operational  T&E  of  IA  for 
Acquisition  Systems,  26  November  2006 


ATEC  IA  Methodology 
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Actual  Network 
under  test;  includes 
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Capability  Domain 


(Force 

Effectiveness 

Metrics) 


Capabilities 


Based  on  Network 
Environment,  ability 
of  unit  to: 

-Improve  Speed-of- 
Command, 

-Improve  Self 
Synchronization, 
-Improve  Force 
Agility 

-Improve  Information 
Superiority 


Capabilities  & 

Limitations 

Summary 

•  Platform 

•  System 
•SoS 

•  Force 


Limitations 


ESS  +Unknowns 


IGT  -  Independent  Government  Test;  EUT  -  Early  User  Test;  LUT  -  Limited  User  Test;  IOT  -  Initial  Operational  Test;  CE  -  Continuous  Evaluation;  ACTD  -  Advanced  Concept  Technology  Demonstration; 
OA/OE  -  Operational  Assessment/Operational  Evaluation;  SWB  -  Software  Blocking;  FUE  -  First  Unit  Equipped;  M&S  -  Modeling  and  Simulation;  ESS  -  Effectiveness,  Suitability,  Survivability;  NW  -  Network; 
C2  -  Command  and  Control;  FoS  -  Family  of  Systems;  SoS  -  System  of  Systems 


ATEC  IA  Methodology 


System  Acquisition  Life  Cycle 
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Interim  Guidance  and  DoD  8500  Series 


IA  OT  Entrance  Criteria 


iteria 


ATEC  ensures  PM  documents  IA  plans  and  results; 
ATEC  observes  PM  IA  events  to  understand  system 
C&L,  how  to  test,  compliance  and  readiness  for  OT 


For  DIACAP,  PM  responsible  for  conducting  susceptibility 
analysis  (laboratory/DT)  not  subject  to 
AR  380-53  -  PM  will  not  portray  Threat  10 


£1  MAC  and  CL  documented 

£llA  controls  implemented 

21  DIACAP  compliance  review 

21  DAA  approved  SSAA  (DITSCAP) 
or  DIACAP  POA&M,  DIP 


21  ATO/IATO  (before  OT) 

21  j-6  l&S  Certification 

21  Other  CJCSI  6212.01  compliance 
requirements  met.  (i.e.  E3,  HERO, 
SAASM,  etc.) 


ATEC  IA  Methodology 


System  Acquisition  Life  Cycle 


Training  Assessment 

•  Participates  in  PM  training 
and  provides  feedback  on 
the  quality  of  the  Information 
Assurance  training. 


Susceptibility  Assessment 

•  Conducts  susceptibility 
testing 

Data  Collection 

•  Analyzes  susceptibility  data 
and  assists  in  determining 
required  fixes  prior  to  OT  start 

Threat  10/Vulnerability 
Assessment 

•  Conducts  “comm”  checks 


Susceptibility  Assessment 

•  Continues  to  conduct 
susceptibility  testing,  if  needed 
Data  Collection 

•  Observes  Threat 
IO/penetration  testing  impacts 
on  user  and  collects  data 
Threat  10  (if  IOT/FOC  event) 

•  Conducts  Threat  10  activities 
(requires  Threat  commander 
and  validated  threat) 
Vulnerability  (other  OT  event) 

•  Conducts  penetration  testing 


Begin  planning  and  coordination  early 


IA  Issues 


•  Metrics  for  determining  IA  capabilities: 

□  Protect  -  How  well  does  the  enterprise,  SoS,  system 
defeat  attacks  /  compromises? 

□  Detect  -  How  well  does  the  enterprise,  SoS,  system 
detect  and  alert  users  of  attacks  /  compromises? 

□  React  -  How  well  does  the  enterprise,  SoS,  system 
react  to  attacks  /  compromises? 

■  Was  the  response  sufficient? 

□  Restore  -  How  well  does  the  enterprise,  SoS,  system 
restore  information  /  systems  to  per-attack  / 
compromise  status? 


IA  Issues 


•  Methodology  for  determining  the  correct  balance 
between  information  assurance  and 
interoperability 

•  Are  the  current  IA  baseline  controls  sufficient? 

•  Best  use  of  M&S 

•  What  is  the  best  way  to  T&E  an  enterprise  / 
federation,  system-of-system? 


Contacts 


Dwayne  T  Hill 
CSTE-TT-MD 
(703)  681-2749 


Dwayne.Thomas.Hill@us.army.m 


Melanie  Miller 
CSTE-TT-MD 
(410)  278-1489 
Melanie.L.Miller@us.army.mil 
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